#!/bin/bash

# SmartInput SSL 证书检查脚本
# 验证所有服务都使用统一的 SSL 证书

set -e  # 遇到错误立即退出

# 颜色定义
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color

# 项目根目录
PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
CERT_DIR="$PROJECT_ROOT/certs"

# 打印带颜色的消息
print_message() {
    local color=$1
    local message=$2
    echo -e "${color}${message}${NC}"
}

# 检查证书文件
check_cert_files() {
    print_message $BLUE "🔍 检查 SSL 证书文件..."
    
    local cert_path="$CERT_DIR/cert.pem"
    local key_path="$CERT_DIR/key.pem"
    
    if [ -f "$cert_path" ] && [ -f "$key_path" ]; then
        print_message $GREEN "✅ SSL 证书文件存在"
        print_message $BLUE "   📄 证书文件: $cert_path"
        print_message $BLUE "   🔑 私钥文件: $key_path"
        
        # 显示证书信息
        print_message $BLUE "📋 证书信息:"
        openssl x509 -in "$cert_path" -text -noout | grep -E "(Subject:|Issuer:|Not Before:|Not After:)" | head -4
    else
        print_message $RED "❌ SSL 证书文件不存在"
        print_message $YELLOW "💡 请运行 ./start.sh 自动生成证书"
        return 1
    fi
}

# 检查证书有效性
check_cert_validity() {
    print_message $BLUE "🔍 检查证书有效性..."
    
    local cert_path="$CERT_DIR/cert.pem"
    
    if openssl x509 -in "$cert_path" -checkend 0 >/dev/null 2>&1; then
        print_message $GREEN "✅ 证书有效"
        
        # 显示过期时间
        local expiry=$(openssl x509 -in "$cert_path" -enddate -noout | cut -d= -f2)
        print_message $BLUE "   📅 过期时间: $expiry"
    else
        print_message $RED "❌ 证书已过期或无效"
        return 1
    fi
}

# 检查服务配置
check_service_configs() {
    print_message $BLUE "🔍 检查服务 SSL 配置..."
    
    # 检查服务器配置
    if grep -q "certs.*cert.pem" server/src/index.ts; then
        print_message $GREEN "✅ 服务器配置使用统一证书"
    else
        print_message $RED "❌ 服务器配置未使用统一证书"
    fi
    
    # 检查管理后台配置
    if grep -q "certs.*cert.pem" admin-panel/vite.config.ts; then
        print_message $GREEN "✅ 管理后台配置使用统一证书"
    else
        print_message $RED "❌ 管理后台配置未使用统一证书"
    fi
}

# 测试 HTTPS 连接
test_https_connections() {
    print_message $BLUE "🔍 测试 HTTPS 连接..."
    
    # 测试服务器连接
    if curl -s --connect-timeout 3 -k https://localhost:3001 >/dev/null 2>&1; then
        print_message $GREEN "✅ 服务器 HTTPS 连接正常 (端口 3001)"
    else
        print_message $YELLOW "⚠️  服务器未运行或 HTTPS 连接失败"
    fi
    
    # 测试管理后台连接
    if curl -s --connect-timeout 3 -k https://localhost:3002 >/dev/null 2>&1; then
        print_message $GREEN "✅ 管理后台 HTTPS 连接正常 (端口 3002)"
    else
        print_message $YELLOW "⚠️  管理后台未运行或 HTTPS 连接失败"
    fi
}

# 显示证书指纹
show_cert_fingerprint() {
    print_message $BLUE "🔍 证书指纹信息..."
    
    local cert_path="$CERT_DIR/cert.pem"
    
    if [ -f "$cert_path" ]; then
        print_message $BLUE "📋 SHA256 指纹:"
        openssl x509 -in "$cert_path" -fingerprint -sha256 -noout | cut -d= -f2
        
        print_message $BLUE "📋 SHA1 指纹:"
        openssl x509 -in "$cert_path" -fingerprint -sha1 -noout | cut -d= -f2
    fi
}

# 主函数
main() {
    print_message $GREEN "🔒 SmartInput SSL 证书检查"
    print_message $BLUE "================================"
    
    # 检查证书文件
    if ! check_cert_files; then
        exit 1
    fi
    
    print_message $BLUE ""
    
    # 检查证书有效性
    if ! check_cert_validity; then
        exit 1
    fi
    
    print_message $BLUE ""
    
    # 检查服务配置
    check_service_configs
    
    print_message $BLUE ""
    
    # 测试 HTTPS 连接
    test_https_connections
    
    print_message $BLUE ""
    
    # 显示证书指纹
    show_cert_fingerprint
    
    print_message $BLUE ""
    print_message $BLUE "================================"
    print_message $GREEN "🎉 SSL 证书检查完成！"
    print_message $BLUE ""
    print_message $BLUE "💡 提示:"
    print_message $BLUE "   - 所有服务都使用统一的 SSL 证书"
    print_message $BLUE "   - 证书位于: $CERT_DIR/"
    print_message $BLUE "   - 如需重新生成证书，请运行: ./start.sh"
}

# 执行主函数
main "$@" 